As we've seen with other tools and utilities, administrators typically use certain things to do their job more efficiently, and those things are often abused by attackers for exploitation. After all, hacking is just the process of getting a computer to do things in unexpected ways. Today, we will be covering various methods to perform banner grabbing to learn more about the target system.
Banner grabbing is a technique used to gather information about running services on a computer system. Banners refer to the messages on the host that usually provide a greeting or version information. An attacker can use banner data to their advantage by obtaining specific version numbers of services to aid in reconnaissance and exploitation.
- Don't Miss: Conduct Recon on a Web Target with Python Tools
To learn about banner grabbing, we will be using Metasploitable 2 as the target and Kali Linux as our local machine. In a terminal window, let's do a quick Nmap scan on the target to see what's running:
~# nmap 10.10.0.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-08 09:00 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0024s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:1D:09:55:B1:3B (Dell)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
Method 1: Telnet
The first tool we'll use to do some banner grabbing is telnet. This unassuming little utility might not seem very useful when it comes to penetration testing, but its value lies in the fact that it's present on virtually any system.
The syntax is telnet, followed by the IP address of the machine you wish to connect to, followed by the port number. We can use telnet to get version information for FTP, which runs on port 21:
~# telnet 10.10.0.50 21
Trying 10.10.0.50...
Connected to 10.10.0.50.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
We can do the same for SSH, running on port 22:
~# telnet 10.10.0.50 22
Trying 10.10.0.50...
Connected to 10.10.0.50.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
We can even use it to grab the banner of a web server, which usually runs on port 80. Once connected, type something, and it will display some information for us. For instance. I typed "help" once connected:
~# telnet 10.10.0.50 80
Trying 10.10.0.50...
Connected to 10.10.0.50.
Escape character is '^]'.
help
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
Connection closed by foreign host.
We can see it returns a tiny bit of HTML, including what appear to be directories, plus a welcome banner on the system. We also get lucky with this one since it contains both an email and login credentials.
Method 2: Netcat
Now, we will perform banner grabbing with Netcat, a utility that is very common on Linux systems and can be abused in all sorts of ways. We can use it to connect to certain ports and gather information.
First, let's connect to the FTP service on port 21, just like we did with telnet:
~# nc 10.10.0.50 21
220 (vsFTPd 2.3.4)
We can do the same with SSH on port 22:
~# nc 10.10.0.50 22
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
And again on port 80:
~# nc 10.10.0.50 80
hi
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
We can also utilize Netcat to communicate with the web server. For example, we can use the HEAD method to get the header information about the server:
~# nc 10.10.0.50 80
HEAD / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Wed, 19 Jun 2019 18:28:12 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Connection: close
Content-Type: text/html; charset=iso-8859-1
Even though it was a bad request, we still got the exact version number of Apache.
We can send a GET request as well, which will return the contents of the webpage:
~# nc 10.10.0.50 80
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Wed, 19 Jun 2019 18:29:19 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80</address>
</body></html>
In this case, we still get a bad request, but this method can return HTML and other useful information.
Method 3: Curl
Curl, often stylized as cURL (Client URL), is a command-line tool used for transferring data. It is most commonly used for HTTP, but it supports a wide variety of other protocols.
We can also use curl to grab the banner of the web server. However, we don't need to specify the port number this time as we did with the previous tools:
~# curl 10.10.0.50
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
We can also use the -I flag to fetch the HTTP header:
~# curl -I 10.10.0.50
HTTP/1.1 200 OK
Date: Wed, 19 Jun 2019 18:32:06 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.24
Content-Type: text/html
This time we get a 200 OK, plus some information pertaining to the PHP version.
Method 4: Nmap
The next tool we can use to grab banners is Nmap. When using service detection, Nmap will return information about the running service, such as a version number, but Nmap also has an NSE script that can perform banner grabbing for us.
Use the --script option followed by the name of the script, in this case, banner:
~# nmap --script banner 10.10.0.50
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-08 09:15 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0026s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_banner: 220 (vsFTPd 2.3.4)
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp open telnet
|_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
|_banner: root@metasploitable:/#
2049/tcp open nfs
2121/tcp open ccproxy-ftp
|_banner: 220 ProFTPD 1.3.1 Server (Debian) [::ffff:10.10.0.50]
3306/tcp open mysql
| banner: >\x00\x00\x00\x0A5.0.51a-3ubuntu5\x00-\x00\x00\x00$&0_n-0L\x00,
|_\xAA\x08\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...
5432/tcp open postgresql
5900/tcp open vnc
|_banner: RFB 003.003
6000/tcp open X11
6667/tcp open irc
| banner: :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostna
|_me...
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:1D:09:55:B1:3B (Dell)
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds
That gave us banners for several services, some easier to read than others.
We can also narrow our focus to a specific port using the -p flag:
~# nmap -sV --script banner 10.10.0.50 -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-08 09:25 CDT
Nmap scan report for 10.10.0.50
Host is up (0.00065s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
MAC Address: 00:1D:09:55:B1:3B (Dell)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.76 seconds
For example, running this against port 80 gives us some information about the Apache web server.
Method 5: Metasploit
The final banner-grabbing method we will explore is Metasploit. Metasploit has modules that will gather information about telnet, web servers, SMTP, and more.
First, launch Metasploit by typing msfconsole in the terminal. Then, we can use the search command on the msf5 prompt to find any modules relating to banner grabbing:
msf5 > search banner
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/f5_bigip_virtual_server normal Yes F5 BigIP HTTP Virtual Server Scanner
1 auxiliary/scanner/imap/imap_version normal Yes IMAP4 Banner Grabber
2 auxiliary/scanner/pop3/pop3_version normal Yes POP3 Banner Grabber
3 auxiliary/scanner/smtp/smtp_version normal Yes SMTP Banner Grabber
4 auxiliary/scanner/telnet/lantronix_telnet_version normal Yes Lantronix Telnet Service Banner Detection
5 auxiliary/scanner/telnet/telnet_version normal Yes Telnet Service Banner Detection
6 exploit/multi/http/auxilium_upload_exec 2012-09-14 excellent Yes Auxilium RateMyPet Arbitrary File Upload Vulnerability
7 exploit/unix/webapp/openx_banner_edit 2009-11-24 excellent Yes OpenX banner-edit.php File Upload PHP Code Execution
8 exploit/unix/webapp/wp_easycart_unrestricted_file_upload 2015-01-08 excellent No WordPress WP EasyCart Unrestricted File Upload
9 exploit/windows/ftp/proftp_banner 2009-08-25 normal No ProFTP 2.9 Banner Remote Buffer Overflow
The first module we'll use will give us some information about telnet — load it with the use command:
msf5 > use auxiliary/scanner/telnet/telnet_version
And we can take a look at the options:
msf5 auxiliary(scanner/telnet/telnet_version) > options
Module options (auxiliary/scanner/telnet/telnet_version):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
The only thing we need to set for now is the rhosts option. Set it to the IP address of our target, and since this will remain the same for the next few modules, we can use the setg command to set it globally:
msf5 auxiliary(scanner/telnet/telnet_version) > setg rhosts 10.10.0.50
rhosts => 10.10.0.50
Now, all we have to do is run it:
msf5 auxiliary(scanner/telnet/telnet_version) > run
[+] 10.10.0.50:23 - 10.10.0.50:23 TELNET _ _ _ _ _ _ ____ \x0a _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a |_| \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] 10.10.0.50:23 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We can see it gave us a sort of jumbled banner, but again, we did get some credentials from it.
Next, we can use the http_version module to get some information about the web server. Load it up:
msf5 auxiliary(scanner/telnet/telnet_version) > use auxiliary/scanner/http/http_version
And take a look at the options:
msf5 auxiliary(scanner/http/http_version) > options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.0.50 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
Everything seems good, so let's kick it off:
msf5 auxiliary(scanner/http/http_version) > run
[+] 10.10.0.50:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.24 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
That gave us the Apache version number as well as the PHP version information from it.
We can also scan for the SMTP version that's running. SMTP (Simple Mail Transfer Protocol) is a protocol used for email communication. Load the module with:
msf5 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smtp/smtp_version
And check out the options:
msf5 auxiliary(scanner/smtp/smtp_version) > options
Module options (auxiliary/scanner/smtp/smtp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.0.50 yes The target address range or CIDR identifier
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
Again, it seems good to go, so we can run the module:
msf5 auxiliary(scanner/smtp/smtp_version) > run
[+] 10.10.0.50:25 - 10.10.0.50:25 SMTP 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\x0d\x0a
[*] 10.10.0.50:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
That returns some information on the SMTP service on the system.
Metasploit also has a couple of other useful scanners for the IMAP and POP3 protocols. These aren't set up on our target, but they work very similarly to the other modules we covered.
How to Prevent Banner Grabbing
Because of the nature of how these services work, banner grabbing is difficult, but not impossible, to prevent. The obvious way to stop this type of attack is to limit the information the service broadcasts, but for a lot of services, it breaks their functionality. Simply disabling banners may provide the best defense against attackers searching for low-hanging fruit.
Another method, which can be utilized for web servers, is to put a proxy in between the server and the internet, which will strip certain information or reformat headers to make detection more difficult. There are also programs available to hide this information from attackers, such as ServerMask and IIS Lockdown.
Wrapping Up
Today, we learned about banner grabbing and how it can be used by an attacker to gather information about the services running on a system. We explored a number of banner-grabbing methods, including using telnet, Netcat, curl, Nmap, and Metasploit. All of this information can be used for reconnaissance, and ultimately, better exploitation.
Cover image by Ildefonso Polo/Unsplash; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!